I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The TJX Cos., the retail giant for which Butka is CIO, revealed Wednesday that an "unauthorized intrusion" into its transaction management systems could expose hundreds of thousands of its customers to credit card fraud and identity theft.

More on information security

It's possible no one may be fired. But speculation is at fever pitch and industry insiders who know about corporate embarrassment -- and reactions to it -- say that when top brass starts swinging the proverbial ax, they're most likely to drop it on senior IT executives.

"More than likely, there will be a sacrificial lamb," said security analyst Pete Lindstrom of Burton Group Inc. in Midvale, Utah. "I would expect it to be the CIO or a senior-level CISO to be let go."

But that doesn't necessarily mean any single person was at fault.

"Now, it's possible, there will be some sort of investigation that finds that this couldn't have been stopped. And it's really hard to tell. They may never know how that stuff got in."

If TJX decides against firing anyone, said Jack Phillips, a managing partner at the Boston-based Institute for Applied Network Security, it means senior corporate executives will decide the correct systems, software and procedures were in place -- and agree that even the best systems, and best CIOs, do not come with 100% guarantees.

Protecting from the inside out

Data breaches will continue to be a problem until companies realize a strong perimeter isn't enough.

"What they call best practices tend to really focus on the perimeter," said Neil Weicher, CTO at NetLib Encryptionizer, a Stamford, Conn.-based vendor of data encryption software. "The DBAs [database administrators], if something happens, the DBA can really legitimately say, 'I was just following best practices.' Right now the focus is on how to keep people from the data. What people need to focus on is what happens when people get to that data."

Weicher said companies need to use technology like encryption to ensure that data is unusable when criminal reach it. He compares this approach to the banking industry practice of putting exploding red dye packets in bags of money.

"They have the perimeter protection," he said. "They have vaults, silent alarms, armed guards. But they still put red dye in the bags because they know that at some point someone is going to get to it. People need to start protecting data in the same way, because you are never going to get to the point where people can't get to it."

-- Shamus McGillicuddy

Given the scope and size of TJX, the company was probably about as secure as any retail company could be, Phillips said.

Still, TJX officials must factor consumer confidence into any decision they make. The stakes are high. "Someone has to take the fall for it," Phillips said. "This would have to escalate to the highest-level technology person."

The Framingham, Mass.-based retail company operates 2,000 stores around the world, including T.J. Maxx, Marshalls, HomeGoods and Bob's Stores. TJX didn't offer details of how the attacker breached its systems and declined to estimate how many customers may have been affected by the data breach. In a press release, TJX said it had hired General Dynamics Corp. in Falls Church, Va., and IBM to strengthen the security of its computer systems.

"Since discovering this crime, we have been working diligently to further protect our customers and strengthen the security of our computer systems, and we believe customers should feel safe shopping at our stores," said Ben Cammarata, chairman and acting CEO of TJX in a statement issued yesterday and posted on the company's Web page.

TJX said it discovered the breach in mid-December, but the company put off an announcement of the crime while it worked with law enforcement agencies to investigate it.

The company has identified a limited number of customers whose private information was stolen and is notifying them directly. TJX officials said they do not know if they will be able to identify the names of other customers who are at risk.

In a press release issued yesterday, TJX said the attacker accessed a system that manages customer transactions and returns for its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada. The systems that process transactions for its T.K. Maxx stores in the U.K. and Ireland and its Bob's Stores in the U.S. may also have been compromised, according to the release.

According to the Privacy Rights Clearinghouse, a San Diego-based privacy rights advocacy group, the TJX breach is the 10th data security breach disclosed this month in the U.S. Since the organization started tracking data breaches in February 2005, more than 100 million records of U.S. residents have been exposed.

"This is certainly a comment about the threat environment. The sophistication of the bad guy is on the rise," Phillips said. "A strong security posture can still be beaten. So there is that void, that middle ground between a reasonable security posture and a very intelligent hacker."

If Butka or another top-ranking IT executive takes heat for the TJX breach, it won't set a precedent. The recent resignation of Pedro Cadenas Jr., chief information security officer (CISO) and acting CIO at the U.S. Department of Veterans Affairs, is the most recent example of an IT exec taking the fall for security snafus.

Experts say the CIO is often the first executive to be called to task for any IT security violation, despite the fact that problems with security generally involve a number of departments.

According to Phillips, the problem at many companies is executives don't know whom to blame because they haven't assigned responsibility for risk.

Still, Phillips said despite the flap over the incident, it only highlights what we already know -- data is always compromised.

"It will seem to the public as though the sky is falling," he said, "but in terms of sheer numbers, it's still a blip on the radar."

Shamus McGillicuddy and Linda Tucci contributed to this article. Let us know what you think about the story; email editor@searchcio.com.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy